mon
Reputation: 22356
AWS CLI - How to attach IAM policy to SSO role?
Suppose:
- a user X is managed in Azure AD and linked to an SSO role in AWS organization.
- we want to give an IAM policy to access the DynamoDB in an AWS account A to the user X.
I created the IAM policy in the Account A because the DynamoDB is specific to the AWS account A. Then, how can attach the IAM policy to the SSO role for user X using AWS CLI?
Upvotes: 0
Views: 211
Answers (1)
Tsal Troser
Reputation: 814
You can't. AWS won't allow you to manually update the policy of SSO federated roles/users (obviously). You need to update the user's SSO role permission set from IAM Identity Center.
aws iam attach-role-policy --role-name AWSReservedSSO_xxxxx_xxxxx --policy-arn <policy_arn>
An error occurred (UnmodifiableEntity) when calling the AttachRolePolicy operation:
Cannot perform the operation on the protected role 'AWSReservedSSO_xxxxx_xxxxx' - this role is only modifiable by AWS
Upvotes: 1
Related Questions
- Allow user to assume an IAM role with SSO login
- Correct way to attach AWS managed policies to a role?
- API Gateway resource policy: specify IAM role as AWS principal
- How to assume an AWS role from another AWS role?
- How to attach multiple IAM policies to IAM roles using Terraform?
- What is exactly "Assume" a role in AWS?
- Difference between IAM role and IAM user in AWS